Return to README.smartcard CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/README.smartcard, Revision 1.6

1.1       markus      1: How to use smartcards with OpenSSH?
                      2:
                      3: OpenSSH contains experimental support for authentication using
                      4: Cyberflex smartcards and TODOS card readers. To enable this you
                      5: need to:
                      6:
1.6     ! rees        7: (1) enable SMARTCARD support in OpenSSH:
1.1       markus      8:
                      9:        $ vi /usr/src/usr.bin/ssh/Makefile.inc
                     10:        and uncomment
                     11:                CFLAGS+=        -DSMARTCARD
                     12:                LDADD+= -lsectok
                     13:
1.6     ! rees       14: (2) load the Java Cardlet to the Cyberflex card and set card passphrase:
1.1       markus     15:
                     16:        $ sectok
1.2       rees       17:        sectok> login -d
1.6     ! rees       18:        sectok> junload Ssh.bin
1.1       markus     19:        sectok> jload /usr/libdata/ssh/Ssh.bin
1.6     ! rees       20:        sectok> setpass
        !            21:        Enter new AUT0 passphrase:
        !            22:        Re-enter passphrase:
1.1       markus     23:        sectok> quit
                     24:
1.6     ! rees       25:        Do not forget the passphrase.  There is no way to
        !            26:        recover if you do.
        !            27:
        !            28:        IMPORTANT WARNING: If you attempt to login with the
        !            29:        wrong passphrase three times in a row, you will
        !            30:        destroy your card.
        !            31:
        !            32:        If you have loaded an older version of Ssh.bin on
        !            33:        your card previously, you must unload it and load
        !            34:        the new one.
        !            35:
        !            36: (3) load a RSA key to the card:
1.1       markus     37:
                     38:        please don't use your production RSA keys, since
                     39:        with the current version of sectok/ssh-keygen
                     40:        the private key file is still readable
                     41:
1.5       jakob      42:        $ ssh-keygen -f /path/to/rsakey -U 1
1.1       markus     43:        (where 1 is the reader number, you can also try 0)
                     44:
1.2       rees       45:        In spite of the name, this does not generate a key.
                     46:        It just loads an already existing key on to the card.
1.1       markus     47:
1.6     ! rees       48: (4) tell the ssh client to use the card reader:
1.1       markus     49:
                     50:        $ ssh -I 1 otherhost
                     51:
1.6     ! rees       52: (5) or tell the agent (don't forget to restart) to use the smartcard:
1.1       markus     53:
                     54:        $ ssh-add -s 1
                     55:
                     56: -markus,
                     57: Tue Jul 17 23:54:51 CEST 2001